MALICIOUS
184
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF file was identified as malicious due to a high ML classifier score and heuristics indicating it functions as a link farm. It contains numerous embedded URLs, with at least one pointing to a known malicious redirector. The document body, though heavily obfuscated, appears to contain the same URLs, suggesting the primary purpose is to direct users to external, potentially harmful, sites.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.club/wix?keyword=frases+para+musicos+saxofonistas
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- https://25180dbc-e08d-4008-8d18-9d78967fbc03.filesusr.com/ugd/cc3ca9_ab388267531841a0ad3dd6e41e8d14e9.pdf?index=true
- https://1418061f-de03-4862-8b7c-b905fabb8f06.filesusr.com/ugd/895bef_9b59bd7fad6e4a25971520c16d392267.pdf?index=true
- https://d2f37926-dcc1-4d65-abbc-73aeeeaf9c6c.filesusr.com/ugd/0779a3_702501976eb447ddb44203641b6556e8.pdf?index=true
- https://fcb8011f-085e-4915-a35d-c96908b27c74.filesusr.com/ugd/cc03df_a18af3d383bc483b8a9f06ea46c93084.pdf?index=true
- https://3a38ad52-1548-41f1-a009-31cefd31582c.filesusr.com/ugd/3ed902_4c3c32491568451caf7c160d28134953.pdf?index=true
- https://d633c181-93cf-437a-80b9-f35d60bb9c3f.filesusr.com/ugd/10b03a_0c5913ae5b4841049f0ce8e805bdd679.pdf?index=true
- https://a80a3481-4916-468a-910c-329c25e90f23.filesusr.com/ugd/97aff7_84a1341f77a544f183eec3ebda68e13f.pdf?index=true
- https://7206bf16-f5e4-4ad3-8c3f-4a4c19ce8d15.filesusr.com/ugd/31bf02_bb081674afd44df19eb43ee8a5814383.pdf?index=true
- https://58acf12d-24da-433d-a217-76ad805c0ab9.filesusr.com/ugd/98857b_4a382d7e14fb4c61ba062bf15c615e4a.pdf?index=true
- https://ebcb39e2-b2c8-4bdc-89d6-edaef38f246a.filesusr.com/ugd/544c7e_7eba23f9fd52491381b7d2f6d5a7b6e2.pdf?index=true
- https://3d5b0252-70c3-4101-8ee6-f43234f73917.filesusr.com/ugd/2994dd_b06afcafc960404d83404fd1bd266119.pdf?index=true
- https://613ec3b0-0b04-4ccf-b07e-dcbad0bbc2f1.filesusr.com/ugd/b27199_5316e6ba61e84d1aa809d1a68212b452.pdf?index=true
- https://0c845ed6-dbd2-4a22-9487-e81f1c1f0cd2.filesusr.com/ugd/1c8c1e_c70b7b6817be48d2820e0e56100dc368.pdf?index=true
- https://46442436-52c8-461e-ba51-df276598d8ee.filesusr.com/ugd/1a94e8_26c4e80508ca431183cba6f7a3b35538.pdf?index=true
- https://d0a63792-a422-4a25-8707-31d0c4b26815.filesusr.com/ugd/585b1d_17674032463440638ad15539920af9e5.pdf?index=true
- https://54ef48f1-ef30-4dbd-96e0-7282b0caf6d8.filesusr.com/ugd/48f461_342d40e5ce2042e996ed78b0a5f6d5bd.pdf?index=true
- https://2d7389f0-4072-48e2-b336-c9256a78aff1.filesusr.com/ugd/c70c35_cafcfabbd63f4468a5f0423c4eb37d2a.pdf?index=true
- https://ebd8f3af-0d19-47a5-b4d3-055f6a03eb56.filesusr.com/ugd/15cd4d_b21e4575a3ad4a34b54ed3f9f1907041.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00007147.binc3bd0d8f58bbf3059b2c5629d44607348c144fbb576e1e6e60826befe10b2ade |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7147 | 5032 bytes |
font_01_sfnt_off00008255.bin15b2870d6f878344ddfa8cc2a30044ec400b1789f8e6b0bcb76db3a58262555d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8255 | 11348 bytes |
font_02_sfnt_off0000a775.binaad9bc0f36eadc3314e08670b59090120051e308b357201f134af3d0b781b2b0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA775 | 16312 bytes |
font_03_sfnt_off0000bd01.bin05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xBD01 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.